kqlElastic-2.0from elastic/detection-rules
Remote File Creation in World Writeable Directory
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml
event.category:file and host.os.type:linux and event.action:creation and
process.name:(ftp or rsync or scp or sftp or sftp-server or ssh or sshd or vsftpd) and
file.path:((/dev/shm/* or /tmp* or /var/tmp*) and not (/tmp/ansible-tmp-* or /var/tmp/ansible-tmp-*)) and
not user.id:0